Container image scanning?

[Darwiner]

Has anyone been able to get any useful output from combining trivy + reviewdog for container image scanning?

I would have hoped to keep using https://github.com/reviewdog/action-trivy for both fs scans (which works great) as much as image scans (and not have to also use https://github.com/reviewdog/action-trivy for image scans), but I'm not finding any method to get any useful output in any way.

Considering the output that trivy comes up for container image scans, which doesn't reference to any file nor location that reviewdog sees... I suppose that might be why there's nothing to reference to and the result is just nothing (even with setting filter mode to nofilter)?

At best, I could add a trivy flag to also output to a file, and have that file be included as a PR comment... But then comes the fact that the file would be in sarif format. Not very useful from a human-readable standpoint. :)

[nayuta]

@Darwiner I think reviewdog on image scanning is not suitable for GitHub PR. As you said, in GitHub PR, we (and the reviewer) can not comment on other than changed lines. So, we can add comments without any changed lines, but they don't need to be reviewed.